Wednesday, March 20, 2013

Use case

We want to create a regular Google Drive account owned by an application. The application enables users to upload or view files within that account. Since Google Drive API provides javascript library the goal is to use javascript for all the logic (upload and view files) with minimum engagement of server side processing.

For the purpose of creating an application owned account Google provides two options:

SERVICE ACCOUNT
Application is authorized by .pk12 certificate; the drawback is that only the application can see documents it created -
documents cannot be viewed for example through Google Drive UI.

REGULAR GOOGLE ACCOUNT used by the application onlyThis option is our choice because we want to access stored files using Google Drive UI too.

To access a Google account using Google API we have to ensure correct handling of authentication and authorization procedures - Google API supports OAuth2 protocol. To make a long story short: to call Google API from the client side (javascript) we need to associate each request with a valid short term (1 hour expiration) access token (that grants access to the desired Google account). Typical use case when using javascript library is to ask users to grant access for the application to their own documents in their own Google accounts by invoking Google UI authorization dialog. However, our scenario is different: we want to let users transparently upload documents into the application owned account skipping any explicit (UI) authorization steps.

The application can ask Google token endpoint for a new access token if the current one expires only if it has permanent (and stored) refresh token. To get refresh token in advance (read more about offline access) few steps are required:

Retrieve refresh token: ask Google's authentication endpoint for the application authorization code (it redirects to configured redirect URI) and adds authorization code as request parameter. Then exchange the authorization code (and some other parameters) for the access token and refresh token (example of the server side call is explained later in this article). This step may even occur in another application - for those who only need to get their refresh token, I've deployed simple application that can assist in retrieving the refresh token without writing a line of server side code.

The tricky part is to ensure that we always have a valid access token. We can get it only using server side logic and then pass it to javascript. I've encapsulated the check for token's expiration and fresh access token retrieval routine in standalone helper class AccessTokenHolder:

Adding to the previous comment about doing it using PHP - Sorry I am not familiar with Java and would like to implement this using php. I am not clear about the Google UI authorization dialog. Is it still being shown to the user? If not how is it being handled on the server? Does java help in this regard? Would I be able to do the same with PHP? some more explanation would be very helpful! Thanks!